Welcome to PHP4IT
Main Menu
· Main Page
· Account Settings
· Forum
· Recommend Us
· Contact

Search


Solutions Categories
· All topics
· Database Import and Conversion with PHP (Feb 07, 2006)
· PHP Security (Mar 28, 2008)
· Printing (Jan 05, 2006)
· Windows PHP Solutions (Apr 04, 2008)


PHP4IT RSS Feed
Add the PHP4IT RSS Feed to your favorite RSS news reader!

   

PHP Security



See all

Securing the Recommend Us feature in PostNuke/PHP Nuke

Posted by: David on Friday, March 28, 2008 - 04:00 PM
Php Security 
I've noticed some oddball email bounces stemming from the Recommend_Us module trying to send email to non-existent email addresses. A lot of them would contain spam words which I won't list here. I came to the conclusion that this is a malicious attack on a PostNuke/PHP Nuke site trying to blacklist the server hosting the site as a source of spam. Therefore I think it is important that if you run a PostNuke or PHPNuke site that you take steps to secure the "Recommend Us" module. Since I am running PostNuke, the solution here is based for that CMS, but the same concepts apply for PHP Nuke.

Basically we want to make sure that a user is logged in before he/she can recommend the site/story from the site.

Here are the steps:

  • head over to your root PostNuke directory, go to modules, and Recommend_Us.

  • Make a backup copy of index.php

  • Edit the file index.php.

  • Look for instances of:


    • if (pnUserLoggedIn()) {

    and in the else portion, put in something like the following:

    die("You must be a member and logged in to send a recommendation.");

    Note that some already have the "else" and some you will have to add yourself.

  • Next I would recommend changing the text input boxes for "Your name" and "Your email" into hidden inputs instead. For instance, change:

    echo "
    <table>
    <tr>
    <td><span class=\"pn-normal\"><label for=\"YOURNAME\">"._FYOURNAME."</label></span></td>
    <td><input type=\"text\" name=\"yname\" value=\"$yn\" SIZE=\"25\" maxlength=\"25\" id=\"YOURNAME\" tabindex=\"0\" /></td>
    </tr>
    <tr>
    <td><span class=\"pn-normal\"><label for=\"YOUREMAIL\">"._FYOUREMAIL."</label></span></td>
    <td><input type=\"text\" name=\"ymail\" value=\"$ye\" size=\"25\" id=\"YOUREMAIL\" tabindex=\"0\" /></td>
    </tr>


    to

    echo "<table>
    <input type=hidden name=\"yname\" value=\"$yn\"> <input type=hidden name=\"ymail\" value=\"$ye\">


    • And voila you have just secured the recommendation feature from anonymous malicious users.

    Discuss/Submit Comment | Email This